GoldenJackal APT breached European air-gapped systems

October 10, 2024
GoldenJackal APT Air Gap Systems Europe Data Breach Cyberattack

GoldenJackal, an advanced persistent threat group (APT), allegedly infiltrated European government systems’ air-gapped systems using two unique toolsets to harvest sensitive information.

According to reports, the attackers’ toolset can steal various data, including emails, encryption keys, photos, archives, and documents. Researchers revealed that this new attack has already occurred a couple of times.

The first instance occurred in 2019, targeting the Belarusian embassy in the South Asian region. The other incident occurred between May 2022 and March 2024 against a European government entity.

In addition, reports of alleged GoldenJackal activity surfaced in May 2023, targeting government and diplomatic entities for espionage. Although their use of proprietary tools sent via USB pen drives, such as the ‘JackalWorm,’ was known, incidents of effective breach of air-gapped computers had not before been established.

Organisations use air-gapped systems in vital operations, which frequently manage confidential information. These institutions also segregate these systems from open networks as a security precaution.

 

The new GoldenJackal APT campaign may have leveraged a previous attack strategy of infiltrating air-gapped systems.

 

The previous investigation about a similar attack that the GoldenJackal APT currently starts by compromising internet-connected PCs. The researchers explained that the last attack deployed trojanised software or malicious documents with malware named ‘GoldenDealer.’

The GoldenDealer malware can detect the introduction of USB devices on affected systems and instantly copy itself and other malicious components onto them. Subsequently, the malware operators plug the same USB stick into an air-gapped computer, allowing GoldenDealer to install a backdoor called GoldenHowl and an infostealer dubbed GoldenRobo on the targeted computers.

GoldenRobo scans the system for various files, such as documents, images, certificates, encryption keys, archives, OpenVPN configuration files, and other helpful information. During this process, the operation saves the data to a hidden directory on the USB stick.

Once the attackers withdraw the USB drive from the air-gapped devices and reconnect to the original internet-connected system, GoldenDealer automatically exfiltrates the stolen data to an attacker-controlled C2 server.

GoldenHowl is a flexible Python backdoor that can execute various malicious activities, like stealing files, establishing persistence, scanning for vulnerabilities, and connecting directly with a command-and-control server.

Organisations, especially government entities, should know more about these threats, as they are the primary targets of these campaigns.

About the author

Leave a Reply